# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1338808039 0
# Node ID 356c911516587af895b2b7bf23c783bf19fc2416
# Parent  b9ea486e543f48eda194495ef1ca17448cc0e9ce
Merge of r4618: rewrite escaping fix (ticket #162).

The following code resulted in incorrect escaping of uri and possible
segfault:

    location / {
        rewrite ^(.*) $1?c=$1;
        return 200 "$uri";
    }

If there were arguments in a rewrite's replacement string, and length was
actually calculated (due to duplicate captures as in the example above,
or variables present), the is_args flag was set and incorrectly copied
after length calculation.  This resulted in escaping applied to the uri part
of the replacement, resulting in incorrect escaping.  Additionally, buffer
was allocated without escaping expected, thus this also resulted in buffer
overrun and possible segfault.

diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -1043,7 +1043,6 @@ ngx_http_script_regex_start_code(ngx_htt
         }
 
         e->buf.len = len;
-        e->is_args = le.is_args;
     }
 
     if (code->add_args && r->args.len) {